June 1, 2012 · 11:53 am

NHS Trust Given £325k Penalty

In January this year I blogged about reports that the Information Commissioner (IC) had sent a notice of intent to serve a civil monetary penalty notice (CMP) of £375,000 on Brighton and Sussex University Hospitals NHS Trust. At the time I said

If this MPN is served, as intended, then the IC might be faced with headlines equating (for example) £375,000 to the amount it costs to employ a nurse, or a doctor or provide essentail but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances.

Well, it has been served, today. And though the amount has been slightly reduced – £325,000 – it is still by some way the largest CMP ever imposed by the IC. However, this case may be important for other reasons.

Firstly, it related to disposal of hardware containing sensitive personal data. As the IC’s press release says

It follows the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary Medicine (GUM) patients – on hard drives sold on an Internet auction site in October and November 2010.

The data included details of patients’ medical conditions and treatment, disability living allowance forms and children’s reports. It also included documents containing staff details including National Insurance numbers, home addresses, ward and hospital IDs, and information referring to criminal convictions and suspected offences

The IC has been running an “unscrubbed hard drives initiative” following a reported security breach in 2009 involving the sale of un-scrubbed hard drives on the internet containing personal data, and internal meeting minutes from January indicated that this initiative was nearing completion. It would not be surprising if some formal guidance on the subject was now issued.

Secondly, and more broadly, it is interesting and worrying to note the fact that a fundamental role in this data breach was played by a contractor appointed to securely destroy the hard drives. As a data processor (rather than the data controller) this contractor was not liable under the Data Protection Act 1998 (DPA) for any serious breaches: this is why the Trust takes the hit. However, the contractor in question was the Department of Health-accredited Sussex Health Informatics Service (SHIS). SHIS appears to have sub-contracted the work to “Company A” which in turn sub-contracted to a one-person “Company B”. This individual subsequently sold 232 hard drives on the internet auction site.

The contractual, and sub-contractual confusion appears to have been key: the Trust did not even know that the individual had been appointed, and did not know that he had been attending their offices, ostensibly to remove and securely destroy the drives. Data controllers need to be acutely aware of what is happening to the personal data they control, and this obligation cannot be overlooked when they feel the data, or the hardware containing it, has become obsolete.

The fact that SHIS was so involved is particularly worrying. Health Informatics Services are expected to be in the vanguard of data security in the NHS. They say

Keeping data safe and confidential is a core duty for health service providers – and a core THIS service. Our award-winning Confidentiality and IM&T Security service helps customers to fully comply with national and local standards.

Under current law the IC’s powers to take action against a data processor are limited. That may change when the European Data Protection Regulation is ultimately enacted. One would hope, however, that SHIS, and the Department of Health, are looking very closely at their own compliance and security.

UPDATE: 15:15

The Trust has now issued a statement, which to an extent attempts to deflect responsibility on to the contractor. Duncan Selbie, the Chief Executive has said

We arranged for an experienced NHS IT service provider to safely dispose of our redundant hard drives and acted swiftly to recover, without exception, those that their sub-contractor placed on eBay

The Information Commissioner has ignored our extensive representations.  It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would “prejudice the monetary penalty process”

He goes on to say

We simply cannot afford to pay a £325,000 fine and are therefore appealing to the Information Tribunal

If this transpires, it will be the second recent instance of an appeal of a CMP by an NHS body.

The Independent reports the Trust also saying

the fine would pay for the delivery of 300 babies, 50 hip operations, 30 heart bypasses and 360 chemotherapy treatments

This rather confirms what I predicted in January

the IC might be faced with headlines equating (for example) [an NHS CMP] to the amount it costs to employ a nurse, or a doctor or provide essential but costly medical treatment. I hope (and I am sure) he has a strategy for such circumstances

Perhaps this strategy will be revealed during any subsequent appeal proceedings.

 

 

 

 

 

 

 

2 Comments

Filed under Data Protection, Information Commissioner, monetary penalty notice

May 23, 2012 · 8:54 am

I should (not) Coco? EIRs and common law of confidence

Has the Information Tribunal once again followed too slavishly the principles of a 44-year-old expression of the doctrine of common law confidentiality?

In 2008 the then Information Tribunal held that the Home Office had not been entitled to rely on exemptions in the Freedom of Information Act 2000 (FOIA) when dealing with a request from the British Union of Anti-Vivisectionists (BUAV). Specifically, the Tribunal held that some of the information in question did not attract the protection of the common law of confidence (which, for complex reasons was invoked through the interplay of section 24 of the Animals (Scientific Procedures) Act 1986, and section 44 of FOIA, rather than section 41 FOIA, which deals in explicit terms with confidential information). The Tribunal relied heavily in its analysis of the law of confidence on the principles in the landmark case of Coco v AN Clark (Engineers) Ltd (1968) FSR 415 Ch D. On appeal to the High Court, Mr Justice Eady was critical of this reliance, pointing out that there had been significant developments in the law since Coco v Clark:

The Tribunal rather proceeded on the assumption that “the law of confidence” was to be found only in the principles explained by Sir Robert Megarry in Coco v Clark. It assumed that this authority provided an exclusive definition such that, whenever the phrase “in confidence” was to be found in a statute, the legislature must be taken to have had those principles in mind. With respect, however, this does not seem to me to be necessarily the case. Much will depend on context.

It is clear, for example, that the law of confidence is not confined to the principles governing the circumstances in which an equitable duty of confidence will arise; nor to the specialist field of commercial secrets. An obligation of confidence can arise by reason of an agreement, express or implied, and presumably also by the imposition of a statutory duty. (Secretary of State for the Home Office v BUAV & Anor [2008] EWHC 892 (QB))

It is thus important to bear in mind, for the present case, the broad principle, stated by Buxton LJ in McKennitt at [11], that ” … in order to find the rules of the English law of breach of confidence we now have to look in the jurisprudence of articles 8 and 10″. The Tribunal did not address these developments at all and thus proceeded on an incomplete understanding of the present law.

(emphasis added)

It is somewhat surprising, therefore, to read the recent judgment of a differently consituted First-Tier Tribunal (Information Rights), considering the extent to which environmental information was exempt from disclosure under regulation 12(5)(e) of the Environmental Information Regulations 2004 (EIR). Regulation 12(5)(e) provides that

a public authority may refuse to disclose information to the extent that its disclosure would adversely affect…the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest

The case – Jones (on behalf of Swansea Friends of the Earth) v IC & Environment Agency  – involved a request for information relating to financial guarantee arrangements put in place a landfill site operator, as a condition for obtaining a permit to operate a waste landfill site near Swansea. It was common ground that the request for enviromental information, and that it was commercial in nature, so the main question which fell to be decided by the Tribunal was whether the information was

subject to a duty of confidence provided by law because the information was created and provided in circumstances giving rise to an obligation of confidence

At paragraph 35 of its judgment, the Tribunal says

The well-established test in Coco v Clark is that, apart from contract, for a common law breach of confidence claim to succeed, three elements must be
present:
(a) the information itself must “have the necessary quality of confidence about it;
(b) the information must have been imparted in circumstances importing an obligation of confidence; and
(c) there must be an unauthorised use of that information, to the detriment of the party communicating it.

(emphasis added)

With respect, the Tribunal here appears to have had no regard to Eady J’s dicta, and the many recent authorities he cited, in Home Office v BUAV.

Accordingly, the Tribunal went on hold (para 36) that it

[did] not see that it can be said that the [financial guarantee arrangement] information was imparted in circumstances importing an obligation of confidence…[because] the information came into existence through a process of negotiation between the parties

The Tribunal drew support for this from the findings of a (differently-constituted) tribunal in a case concerning the analagous (but differently-worded) section 41 exemption in FOIA concerning confidential information:

We recognise that section 41 refers more explicitly to information being “obtained” by the public authority from any other person. That is not the language of regulation 12(5)(e). However, we consider that the same element is imported by the incorporation of the common law test of breach of confidence into regulation 12(5)(e) of the EIR. In short, we find that the second element of the test in Coco v Clark has not been met and the information is not subject to a duty of confidence provided by law. (para 38)

This extension of the FOIA confidentiality principles into the EIR is controversial in itself. It becomes even more so when compared with a previous Tribunal decision on regulation 12(5)(e). In South Gloucestershire CC v IC & Bovis Homes (EA/2009/32) the more restrictive language of section 41 FOIA was explicitly contrasted with that of regulation 12(5)(e). The Tribunal held there that the Council’s own information could attract the protection of the law of confidence, without the necessity of its having been provided by a third party. See this helpful article by Practical Law Company for further on this, and for reference to the rather regrettable fact that South Gloucestershire v IC & Bovis Homes was not mentioned by the Tribunal in the instant case.

The slavish adherence to the Coco v Clark principles also risks – as Eady J alluded to when citing Buxton LJ –  overlooking the significance of the jurisprudence of the European Convention on Human Rights as it applies to confidential information. In Veolia ES Nottinghamshire Ltd v Nottinghamshire County Council & Ors [2010] EWCA Civ 1214 the Court of Appeal considered, in a case under the Audit Commission Act 1998 (ACA), whether commercially confidential information could constitute a “possession” protected by article 1 of the First Protocol of the Convention, and, potentially, by extension, Article 8. Lord Justice Rix said

 I can see no reason, in the light of the Strasbourg jurisprudence which does exist, why valuable commercial confidential information, such as the evidence in this case demonstrates is in question here, particularly with respect to the second disputed documents, cannot fall within the concept of “possessions”

I am not entirely convinced that English common law has always regarded the preservation of confidential information as a fundamental human right, although I accept that it has been recognised and accepted by our common law. Nevertheless, in the light of at least article 1 of the first protocol, it can now be seen that it is a species of “possessions”, with which the state cannot interfere without justification

Disclosure of information under a regime such as the EIR (or FOIA) is different to the potential unfettered disclosure proposed under the ACA, and the public interest provisions might provide the “justification” for state interference discussed by Rix LJ. Nonetheless, it seems surprising to say the least that Jones v IC & Environment Agency proceeded without reference to any of the more recent authorities of confidentiality.

It is notable that Jones v IC & Environment Agency was determined on the papers, without the benefit of oral argument. It would greatly assist both public authorities, and the commercial organisations with whom they interact, if these points were fully argued, and a reasonably definitive position laid down, by an appellate court.

 

1 Comment

Filed under Confidentiality, Environmental Information Regulations, Information Tribunal

May 22, 2012 · 4:47 pm

Equifax in breach of DPA and common law duties

(20.02.2013 – NB – this judgment was subsequently overturned in the Court of Appeal – please see my blog post here)

An interesting case has been heard in the High Court, before His Honour Judge Anthony Thornton QC, in which the claimant succeeded in showing breach of the Data Protection Act 1998 (DPA), as well as common law breach of a duty of care, on the part of the Credit Reference Agency Equifax. He also succeeded in showing this caused damage, because he was unable to access personal and company banking services.

Mr Smeaton, the claimant, had for complex and unusual reasons, been subject to a bankruptcy order which was made on 1 March 2001, but almost immediately stayed, on 10 March 2001, and rescinded on 22 May 2002.

Despite this, the records kept by Equifax relating to Mr Smeaton wrongly showed that between 12 March 2001 and 17 July 2006 he was subject to the bankruptcy order. In June and August 2006 Mr Smeaton had, on his own behalf and on behalf of his company, Ability Records Ltd, made applications to Nat West Bank for account and overdraft facilities. These applications were refused by Nat West, having consulted Mr Smeaton’s credit file held by Equifax.

The judge held that Equifax had never reviewed its procedures for recording and reviewing the accuracy of bankruptcy information: it relied entirely on information provided by consumers (or placed in the London Gazette by consumers) before reviewing or amending entries (and Mr Smeaton was heavily dyslexic and not aware of the existence of Equifax and other credit reference agencies, nor their procedures). Although Equifax had argued that it was “wholly impracticable to undertake the checks that would be necessary if it was to itself ascertain when a bankruptcy order was discharged or otherwise brought to an end or stayed”, it had failed to distinguish between the (very large) number of bankruptcies that were eventually discharged, and (the relatively tiny number of) those which were subject to annulment, rescission or stay:

Equifax should have considered whether it was possible to find a quick, reliable and cheap way of being informed of annulment, rescission and stay orders which did not rely exclusively on consumers drawing such orders to its attention

Equifax (as data controller) were in breach of the fourth data protection principle in part 1 of Schedule 1 of the DPA, which states that

Personal data shall be accurate and, where necessary, kept up to date

Although there is a proviso (at part II of Schedule 1) which says that a contravention of the fourth principle will not take place if the data controller has taken reasonable steps to ensure the accuracy of the data, Equifax’s failure to have considered a way of being informed of annulment, rescission or stay meant that they could not rely on this.

The judge held also that because of the liability imposed on Equifax by the DPA, it also assumed a duty to act with reasonable skill and care at common law, and it had acted in breach of that duty.

Finally, the judge held that it was

inescapable that the [bank] applications were refused on the sole ground of Mr Smeaton’s bankruptcy entry on his credit file

and that therefore his failure to obtain funding was

as a direct result of Equifax’s breach of the data protection principles and, in particular, as a direct result of its retaining on Mr Smeaton’s credit file details of his undischarged bankruptcy order between 12 March 2001 and 17 July 2006

Mr Smeaton claims that the result of this was that

His life descended into a tragic mixture of homelessness, living in a car on the streets, mental breakdown, impecuniosity and a consequent inability to progress his business affairs as a direct result of the enormous shock on discovering that he had had an adverse credit record for the last five years and that the bank on which he had pinned so much hope in providing Ability with the necessary step up to obtain the SFLGS, itself an essential feature of its business plan, prevented him from taking anything other than relatively modest steps to further that plan for many months

However, the trial on causation and damages will be heard separately at a later date. This is a claim based on section 13 of the DPA, which provides that

An individual who suffers damage [and distress if it arises from that damage] by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage

It is worth noting that since 2008 an electronic version of the Individual Insolvency Register has been provided to Equifax under s subscription arrangement between them and the Insolvency Service. As the judge said

Due to advances in the electronic processing of credit data and to legislative changes in the insolvency legislation concerning personal bankruptcies, it is very unlikely that the highly unusual facts of this case will ever re-occur in the future

However, it is not particularly common for a section 13 claim under DPA to succeed, especially given the difficulty of proving damage (see Johnson v Medical Defence Union [2007] EWCA Civ 262 for an example of the difficulty in making a successful claim) so this a case data protection practitioners should continue to keep an eye on.

1 Comment

Filed under Data Protection

May 21, 2012 · 1:35 pm

Will NHS appeal ICO fine? Let’s hope so.

The Information Commissioner (ICO) today announced that it had imposed a monetary penalty notice (MPN), under section 55A of the Data Protection Act 1998 (DPA), against Central London Community Healthcare NHS Trust. The penalty was in the sum of £90,000, and was imposed after

patient lists from the Pembridge Palliative Care Unit, intended forSt John’sHospice, were faxed to the wrong recipient. The individual informed the Trust in June that they had been receiving the patient lists – around 45 faxes over a three month period – but had shredded them.

 The patient lists contained sensitive personal data relating to 59 individuals, including medical diagnoses and information relating to their domestic situations and resuscitation instructions”

 All very interesting, particularly because this was only the second MPN imposed on an NHS body, after one last month against the Aneurin Bevan Health Board.

 What was even more interesting, however, was to read on the publicservice.co.uk website that CLCH Trust are saying they will appeal the MPN. This would be the first such appeal, and would be very important in terms of getting some judicial opinion on the law and the ICO’s application of it.

 Section 55A of the DPA gives the ICO the power to impose an MPN, while section 55B provides that a person on whom the notice is served may appeal to the First Tier Tribunal (Information Rights) against both the issue of the notice and the amount.

 Regulations and an Order (the snappily-titled The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and The Data Protection (Monetary Penalties) Order 2010) make further provision for both the imposing of and appeal against an MPN. Additionally, under section 55C the ICO must issue guidance on “the circumstances in which he would consider it appropriate to issue a monetary penalty notice, and how he will determine the amount of the penalty”.

On appeal the Tribunal can consider both whether the MPN was in accordance with the law and whether, to the extent that it involved an exercise of discretion by the ICO, he ought to have exercised that discretion differently. The statutory section 55C guidance, and whether the ICO has adhered to it, will clearly be important, but so will, I would suggest, any evidence as to consistency of approach. An appellant would do well to submit evidence of examples where similar or worse apparent breaches of the Act have not resulted in an MPN. As Stewart Room wrote some months ago

 what is ICO’s plan? By this I mean, how does ICO arrive at its figures and how are they justified?

We’re probably not going to get to the bottom of this until someone takes a case on to appeal, but as we are nearly two years into the fining regime I think we’ve arrived at the point when we can legitimately expect ICO to explain where it is heading with the fine and what has driven it’s decisions so far.”

Perhaps we have indeed now arrived at that point.

EDIT, 7 August 2012:

The Trust are indeed appealing the MPN, and the Information Tribunal has listed it for a three-day-hearing in December. This will be a major case.

Leave a comment

Filed under Breach Notification, Data Protection, Information Commissioner

May 21, 2012 · 8:14 am

How to overlook an FOI request

Is it realistic or helpful for the law to be that any written request for information should fall under FOI?

On 23 April I noticed that an appeal to the First Tier Tribunal (Information Rights) had been made by Ryanair regarding a Freedom of Information Act 2000 (FOIA) matter, also involving the Office of Fair Trading (OFT). The Information Commissioner (ICO) Decision Notice in question has the reference number FS50391208.  Knowing that Ryanair are sometimes a rather controversial outfit (although one acknowledges a lot of the controversy might actually be self-serving) I was interested to read the Decision Notice in question. The Tribunal’s website is rather basic, and the list of current appeals is uploaded only as a PDF document. This means that to read the Decision Notice in question one has to search for it elsewhere. However FS50391208 was, and is, nowhere to be found (unless my search skills have let me down).

This is a bit odd: a Decision Notice is a public document which the ICO issues when an application is made to him for a decision as to whether  “a request for information made by the complainant to a public authority has been dealt with in accordance with the requirements [of FOIA]” (section 50, FOIA). I say “public” but as far as I know the open publication of Decision Notices is at the discretion of the ICO – nonetheless, it is clearly his standard custom to do this. So, any Decision Notice, especially one appealed by a company such as Ryanair, which is not published, might attract interest (bear in mind that Ryanair will have made request in question, and the OFT is the public authority involved). It is, of course, possible that an error has occurred: for instance, the Tribunal might have published the wrong reference number (although a search on the ICO’s site doesn’t throw up any Ryanair Decision Notices), or someone might just have omitted to upload the Notice.

Accordingly, I sent a tweet to the ICO’s twitter account

Hi @ICOnews DN FS50391208 (OFT) which Ryanair are appealing does not appear to be on your website. Can we see it pls?

I didn’t receive any reply, so, a few days later, sent another

Hi @ICOnews – I asked this q the other day https://twitter.com/bainesy1969/status/194375116493291520 Any answer pls? It wd qualify as FOI request after all 🙂

I still haven’t received a reply. Perhaps my little emoticon made the tweet not seem serious? By my calculation the ICO’s twenty working days to respond is up tomorrow, so I thought I’d blog this today, lest the lovely ICO people I met at last week’s PDP conference think I’ve just waited until the time is up before reminding them (again).

The ICO has said that FOI requests made by twitter are valid requests, and I’ve previously blogged about this. But it does make me wonder how realistic it is for a public authority (especially a large one, which, with all due respect, the ICO is not) to be expected to monitor all information channels in case a request for information is made (which doesn’t even need to mention FOI, of course).  The Irish Freedom of Information Act 1997 requires requesters to state that the request is made under the Act. Although that would not really help the ICO in my example here, it would avoid the situation where an FOI request is lost among reams of correspondence on a related matter. I don’t think an amendment of FOIA to this effect has been proposed in the UK, but I’m starting to think it might be a good idea.

This isn’t the most pressing issue facing FOI, and light touch regulation should mean that no one loses too much sleep if a request is inadvertently overlooked, but it is a subject which keeps nagging at me.

I rather suspect I’ve previously advocated against requiring requesters to invoke FOI in a response, and I reserve my right to change my mind again. As Lawrence Serewicz said in his inspiring talk at that PDP Conference, he has very strong opinions, but he holds them very weakly. I like to think I’m the same.

7 Comments

Filed under Freedom of Information, Information Commissioner

May 10, 2012 · 8:48 am

MPs and Data Protection offences, part two.

In which I follow up a previous post, ask the ICO what action he is taking and consider the implications for ICO funding under proposed amendment of data protectionlaws

In a previous post I pointed out that 22 MPs who had been identified in October 2011 as not having registered with the Information Commissioner (ICO) were still showing as not being registered. As I said, failure to register in circumstances where there should be a registration constitutes a criminal offence under section 21 of the Data Protection Act 1998. The blog post got some interest, so I thought I should follow it up with this request to the ICO under the Freedom of Information Act 2000. The request can be seen on the excellent whatdotheyknow.com but I thought it would be useful to post a copy here:

Dear Information Commissioner’s Office

In October last year you disclosed to another requester a list of
46 MPs who had not renewed their section 18 DPA registration with
your office. You explained some of the procedure for enforcing the
statutory requirement to register, and explained that

“Prosecution is usually the last resort when all else fails and we
do give ample opportunity for the data controller to register. The
legal team are not currently considering any MPs for prosecution.”

It appears, from a check of your register that, currently, 22 of
those same MPs have still not registered, more than seven months
later. These are

Z1243695
NIGEL EVANS MP
Z1434043
GAVIN BARWELL
Z1939110
EDWARD LEIGH MP
Z9286519
KHALID MAHMOOD MP
Z1993957
JAMES CLAPPISON MP
Z1102604
ANGUS ROBERTSON MP
Z9256111
JIM SHANNON
Z927838X
DAVID SIMPSON
Z1577500
DAVID BURROWES
Z1538835
PAT DOHERTY MP MLA
Z2134863
MARGARET CURRAN
Z2241138
RACHEL REEVES MP
Z2241519
NIGEL ADAMS
Z2247846
STUART ANDREW
Z9938280
SHAILESH VARA MP
Z2342005
TRISTRAM HUNT
Z1893869
PAUL BERESFORD
Z1903198
CHRISTOPHER CHOPE MP
Z2378834
JESSICA LEE
Z8752516
ERIC JOYCE MP
Z2343491
ZAC GOLDSMITH MP
Z1728512
ADAM HOLLOWAY

I note that in several instances these MPs appear not to have
renewed their notification for over a year.

Please inform me, under the Freedom of Information Act 2000

1. What enforcement action has been taken against these MPs?
2. How many reminders each has been given (I understand you
normally operate a two-reminder, then enforcement, system)
3. In addition to these 22, how many other MPs have not renewed
their notification? (as more than seven months have elapsed I
presume there will be some additional notifications which have
lapsed).

I acknowledge that the online register does not guarantee to be
up-to-date.

As my previous post said, enforcement of this provision of the DPA does not appear to have stopped: I have seen no announcement to suggest this, and it would be odd, to say the least, if the ICO decided to turn a blind eye to one of the clear offences in the DPA. What would make it particularly odd is the fact that registration represents a huge revenue stream for the ICO, and the more data controllers who register, the greater the income. A fee is levied against a data controller when they register, which amounts to either £35 or £500, depending on the size of the organisation. The last set of accounts show that the income to the ICO from this stream was just short of £15 million.

Clearly it is in the ICO’s interest to enforce this requirement. A failure to enforce, or a perceived failure to enforce could lead to data controllers deciding it’s worth taking a risk by not registering, to save an annual £35 or £500 (they know they would get at least two reminders as it is).

Finally, I note that under amendments to the statutory scheme which will follow the enactment of a new European data protection Regulation, this requirement to register will probably be removed. I presume someone has thought about the effect this will have on the funding of the ICO? £15 million is a hell of a lot to lose, and, the office is underfunded as it is.

2 Comments

Filed under Data Protection, Information Commissioner

May 7, 2012 · 6:53 pm

Godwin’s Law and Data Protection (or, Let’s Be Careful Out There)

A data protection officer I know has been having a bit of a hard time lately from his managers for questioning their relentless push to encourage greater sharing of information between their public sector organisation and other public sector bodies. My friend has been accused of not being a “can-do” person. In defence of his managers, they are being pushed themselves: despite the Conservative party’s pre-election pledge to “scale back the database state” and the Lib Dems’ commitments not to harvest unneccesary information about people’s private lives, data-sharing is being vigorously promoted.

Sometimes it’s important to share data. I blogged only yesterday about a situation where (if it’s true) a failure to share data possibly had tragic consequences. Similarly I remember once, when I worked in a mental health clinic, how two police officers came in and asked if we knew the whereabouts of one of our regular patients: I had been warned that some police officers would try to trick us into revealing information about our patients, but I knew that this patient was highly vulnerable and unstable and the officers apparently had good reason to know the information. I exercised a discretion that I still wonder about today to disclose that personal data. It was a judgement call, and sometimes you get them wrong –  I hope I didn’t then.

However, it is surely not uncontroversial to say that there are risks in excessive data-sharing. Paul Bernal has blogged today, prompted by the worrying success of the neo-Nazi Golden Dawn movement in last week’s Greek elections, about the importance of recognising what are the current, and historical, implications of surveillance of citizens by the state. “Surveillance” can take many forms – sometimes it’s video recording of people, or retention of their DNA. Sometimes it’s not even the state doing it, but citizens themselves: I recently wrote a rather crude post (which I need to re-visit) questioning whether it was a good idea to have hyper-local media collating and publishing information about people appearing in magistrates’ courts.

Sometimes, as well, it can take the form of creeping databases.  Thus, hypothetically, the state is able to collate the following: person W, who is Jewish, knows person X, who is a trade unionist, who has been known to associate with person Y, who is disabled and has twice been accused of crime Z. The state thinks this is useful data. It might be, but equally it might be excessive, or unnecessarily gathered, or retained too long.

In a modern, liberal, state, none of the identifiying features in my hypothetical example should really raise an eyebrow. In a non-liberal state, however, similar information that has possibly been innocently, or naively, collated, can be misused in horrendous ways: so, in 1940s Holland, municipal registers were used by the Nazis to identify and persecute Jews, trade union membership lists used to persecute organised labour and public health and crime records used to persecute the disabled and criminals.

Maybe I’ve godwinned myself and my own blog, but one cannot avoid the fact that modern digital communication and storage are tremendously powerful – unimaginably so compared to even ten years ago, let alone 70 years. Data-sharing can have enormous and beneficial implications, but we need to exercise caution. We mustn’t amass personal data just because we can. We mustn’t use that data for purposes which were not envisaged when we gathered it. And we mustn’t retain that data just because we can’t be bothered to think what to do with it after its usefulness has passed.

As it happens, all the foregoing  principles are actually enshrined in the statutory Principles in the Data Protection Act 1998. That Act gave domestic effect to an EC Directive, which in part had its genesis in the European Convention on Human Rights. That Convention – in turn – had its genesis in the lessons learned after a fascist party gained support in Europe, and then ultimately took power in a fractured and devastated country.

 

2 Comments

Filed under Data Protection, Privacy

May 6, 2012 · 9:44 am

Data Protection Obscenities

A tragic story about the suicide of a young man, and the apparent ridiculous citing of the Data Protection Act to explain why his mother was not warned.

A few years ago, Richard Thomas, the then Information Commissioner (ICO) launched a campaign to counter what were called “Data Protection Duck Outs”. It got some media attention, but I’ve always thought it suffered from sounding like the kind of phrase a “hip” teacher, or my parents, would have come up with. The ICO said

The Data Protection Act does not impose a blanket ban on the release of personal information. It requires a common sense approach, and should not be used as an excuse by those reluctant to take a balanced decision.

The bad-practice examples cited to illustrate the campaign were mostly light-hearted

In September 2008, Marks and Spencer wrongly blamed the Data Protection Act when they told a mother they could not discuss the delivery of her seven year old son’s Superman suit because it would infringe his data protection rights.
ICO view: Organisations should be cautious about releasing details of an order or account to a third party. However, in this case M&S was not being asked to release any personal information (only to confirm that a part of the suit was missing, and send it), so M&S could have spoken to the boy’s mother without breaching the Data Protection Act.

or

In 2005 it was reported that Catholic priests were no longer allowed to pray out loud for an ill person by name because they might be breaking data protection rules.
ICO view: Unless this sort of information was formally held on file it would not be covered by the Act. Even if it were on file, there would only be a breach if the person had specifically asked not to be mentioned or the church had reason to believe they would object.

Well, if the following story from thisiscornwall.co.uk is true, I have a current-day example, and I wouldn’t call it a “duck out” but an obscenity.

A man with a history of drug abuse killed himself in Camborne after being released from police custody, where he was detained under the Mental Health Act, a coroner has heard….Because of the Data Protection Act [his mother] did not know that her son had been detained and said she was powerless to help him.

The “duck out” campaign was launched because of misconceptions about the Data Protection Act 1998 (DPA). The DPA certainly has faults, but you can bet your house that when you hear someone blaming the DPA for not doing something, it is either because they have made a mistake, and are trying to cover themselves, or because they are ignorant of what the Act does and does not permit. The Cornwall story is unclear as to who allegedly cited the DPA for not informing this poor man’s mother, but, just to be clear, Schedule 3 of the Act specifically permits disclosure of sensitive personal data where

The processing is necessary…in order to protect the vital interests of the data subject or another person, in a case where…consent cannot be given by or on behalf of the data subject, or…the data controller cannot reasonably be expected to obtain the consent of the data subject.

This is before we get to considering other factors – for instance whether an appropriate adult was a requirement in this instance, and the fact that under section 56 of the Police and Criminal Evidence Act a person detained has the right to have someone informed. In which case there would have certainly have been other conditions permitting disclosure (thanks to @MentalHealthCop on twitter, for pointing this out, and for alerting me to the story in the first place).

In 2004 the Bichard Inquiry report into the Soham Murders was highly critical about the misunderstandings and misinterpretations of the DPA which led to Humberside Police deleting information about Ian Huntley, and which subsequently meant that when Cambridgeshire Police ran checks on him, when he applied for a school-caretaker position, nothing came up.

The term “duck-out” doesn’t begin to describe the enormity of the mistaken decision to delete Huntley’s data, nor, if this Cornwall story is accurate, does it begin to describe the enormity of the decision – whoever might have taken it (and the story is unclear) – not to tell Daniel Carrick’s mother her son was detained. The current ICO is very keen to clamp down on serious breaches of the DPA, but these are almost exclusively concerned with the loss of, or inadvertent disclosure of, personal data. Perhaps he should also be alive to stories like this, which suggest potential tragic misconceptions and misuse of the DPA, and which really should carry the term Data Protection Fuck-Ups.

 

1 Comment

Filed under Data Protection, Information Commissioner, police

May 4, 2012 · 12:17 pm

Politicians break the law – where is the ICO?

Following up a post from last year, it appears that some MPs continue to flout their legal obligations under the Data Protection Act, potentially committing a criminal offence, and that the ICO doesn’t seem to be taking action. I’m happy to be told otherwise

 Back in November last year I blogged on the fact that 46 MPs had apparently failed to comply with their statutory obligation to notify the Information Commissioner of their status as a processor of personal data. In general terms Section 21 of the Data Protection Act 1998 creates a criminal offence if a data controller processes personal data without an entry being made in the register held by the Information Commissioner (ICO). Although there are rumours that the obligation to register will be removed when the DPA is ultimately amended or repealed, following the enactment of the European Data Protection Regulation (currently in draft), all the relevant provisions are very much still in force.

At the time the ICO said

 …our non notification process is to write to them asking for their comments and advise them to consider their need to notify. If the entity registers or provides a suitable explanation…that is usually the end of the matter and no further action is taken. If no response (or an inadequate response) is forthcoming then we write again explaining the requirement to notify and advising that failure to respond may result in the matter being passed to our legal team for consideration of prosecution. If there is still no response then the file is passed over for the legal team to consider the evidence and if they think there is sufficient evidence they will write advising that if no registration is received within 14 days or representations made as to why a prosecution should not be carried out then a summons will be issued.  If registration is then forthcoming then that is the end of the matter and no further action is taken. Prosecution is usually the last resort when all else fails and we do give ample opportunity for the data controller to register. The legal team are not currently considering any MPs for prosecution.

Well, I’ve just checked that list of 46 MPs who had not renewed their registration as at October last year, and, according to the register (which I stress is, as the ICO says, not necessarily absolutely up-to-date), 22 of them still haven’t (bear in mind as well that there may well others whose registration has lapsed in the interim). Most of those 22 are those whose registration has lapsed for longest. The worst apparent example is one MP who has not renewed his registration since July 2010! That is potentially almost two years of illegal processing of personal data.

 It is not as though the ICO never exercises his prosecution powers for non-registration. He certainly does – and has a “non-notification team” to deal with this sort of thing (although the last prosecution I can find was in March last year).

 My checking was prompted by an exchange on twitter with Alistair Sloan, who made enquiries of the ICO about registrations by Members of the Scottish Parliament, and by the Respect Party. Alistair was told

 Our Non-Notification Team, part of our Enforcement Department, have confirmed that the ICO has not contacted any members of the Scottish Parliament since 5th May 2011 in connection with Notification under the Data Protection Act 1998 (the DPA). Whilst this Team did work on a project which involved contacting MSP’s to remind them of the notification requirements under Part III of the DPA, this project took place some time before the date you have specified of 5 May 2011.

 and

 Having conducted thorough searches of our notification records we have been unable to find any register entry, either current or one which has lapsed, in the name of the Respect Party. Therefore, it appears that the Respect Party has not notified under the DPA at any time since its formation in November 2004.

 but

all of the issues you have raised in respect of the notification status of the data controllers… above have been brought to the attention of our Non-Notification Team within our Enforcement Department. They will therefore consider what further action is appropriate in the circumstances

 One assumes that the “further action” will be reminders. If the Respect Party now registers, I think it’s highly unlikely the ICO will take retrospective action for the seven-and-a-half years when it failed to do so. As it is, reminders appear to have failed to move 22 MPs to comply with their legal obligations, and no apparent action is being taken against them (I would love the ICO to correct me on this). One can’t avoid asking what sort of enforcement, what sort of deterrent is this?

4 Comments

Filed under Data Protection, Information Commissioner

April 24, 2012 · 9:23 am

A Marathon Task for the ICO

Will the London Marathon databreach trigger the ICO’s powers to issue a monetary penalty notice? If so, the ICO is in a tricky position, if he is seen to be effectively “fining” such a high-profile charity, and delivering that money to central government coffers.

 Reports emerged on 23 April that the personal data of runners in this year’s London Marathon had inadvertently been disclosed on the organiser’s website. It appears that names, home addresses and email addresses were exposed. The BBC says

The details were accessible all day to anybody logging on to the site…Marathon organisers apologised and said the mistake had been rectified

A data controller must observe its various obligations under the Data Protection Act 1998 (DPA). London Marathon Ltd appears to be the data controller in this instance, and it donates any surplus income to The London Marathon Charitable Trust. Last year the charity received £4.6m from the company. Some of the income came from the entrance fees of the runners themselves.

The seventh principle of the DPA says

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

A breach of that principle may attract the attention of the regulator of the DPA – the Information Commissioner (ICO). The ICO has various options open to him in the event that he finds that a serious contravention has taken place. In some instances he will require a data controller to sign an undertaking to improve its practices, but since 2010 he has had the power, under section 55A of the DPA to issue a monetary penalty notice (MPN), to a maximum of £500,000. To date he has issued fourteen, largely to local authorities, and the maximum penalty has been £140,000.

The ICO has issued guidance [PDF] on the issuing of MPNs, which expands on the statutory factors which would trigger exercise of the power:

there has been a serious contravention… of a kind likely to cause substantial damage or substantial distress…[and] the data controller…knew or ought to have known… that there was a risk that the contravention would occur, and

…that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but…failed to take reasonable steps to prevent the contravention

The BBC reports that the ICO has said

This is something the Information Commissioner will need to look in to to see how it has come about.

It’s the reasons these things come about that determine the course of the investigation.

Every case is different and we will certainly be making enquiries.

If the ICO does issue a MPN the money paid goes into the consolidated fund – the government’s own bank account. It is one thing to fine a local authority, and, as I have argued before, politically sensitive to fine, say, an NHS body, but it would be a enormously brave act for the ICO to fine an organisation for disclosing the personal data of thousands of the very people whose amazing efforts have contributed to the funds which would have to be depleted to pay the fine. Even more so when one sees the huge contributions being made to the charity supported by one runner who tragically died in this year’s race.

2 Comments

Filed under Data Protection, Information Commissioner